U.S. Retailers Warned About Hacking Software

The Homeland Security Department has reported that more than 1,000 U.S. retailers could be infected with malicious software lurking in their cash register computers, allowing hackers to steal customer financial data. Businesses of all sizes were urged to scan their point-of-sale systems for software known as “Backoff,” which was discovered last October. It had been explained in detail by the agency how the software operates and how retailers could find and remove it. In August, United Parcel Service said it found infected computers in 51 stores. UPS said it was not aware of any fraud that resulted from the infection, but said hackers may have taken customers’ names, addresses, email addresses and payment card information. The company apologized to customers and offered free identity protection and credit monitoring services to those who had shopped in those 51 stores.

While Backoff was discovered in October, it appears that the software wasn’t flagged by antivirus programs until August. Jerome Segura, a senior security researcher at Malware Bytes, a cybersecurity software firm, said that the way that Backoff works is not unique. The program gains access to companies’ computers by finding insufficiently protected remote access points and duping computer users to download malware. These are tricks that have long been in use and are often automated.

According to Segura, the hackers deploying the program have become increasingly sophisticated about identifying high-value computer systems after they have broken into them. The hackers have developed malware that is specifically for credit cards and can evade antivirus programs.

It’s believed that by using Backoff selectively, rather than distributing it widely on the Internet, the hackers have been able to escape detection for a longer period. Following Homeland Security’s warnings in July, however, companies are much better able to probe their own computers for Backoff. So-called chip and pin technology would allow for more secure transactions than the magnetic strip cards that most Americans use now. This technology has already been adopted in Europe and elsewhere.

It’s certain that by improving card technology and updating malware detection, retailers will be able to better defend themselves. Sequra says by limiting what portions of their systems can be accessed remotely, companies can limit the damage that hackers can do. But the bottom line is retail businesses must gear up, make all necessary changes, and do a better job of protecting their customers.